A third-party immigration website called UK Visa Portal is publicly exposing passport photos and selfies of thousands of people who paid the company to help with UK visa applications. The security breach affects at least 100,000 documents uploaded by applicants as part of their visa process.
The exposed data includes highly sensitive personal information that could be used for identity theft or fraud. What makes this particularly concerning is that UK Visa Portal is not affiliated with the UK government, and many users appear to have mistakenly paid fees to this company instead of using the official GOV.UK website.
An anonymous tipster alerted TechCrunch to the security lapse. The publication verified the breach by confirming the authenticity of exposed data with affected individuals. Despite being notified about the issue, UK Visa Portal has refused to fix the security flaw.
The company’s response to the security disclosure has been problematic. UK Visa Portal doesn’t provide a way to report security issues through its website, nor does it list contact information for management. When TechCrunch attempted to report the breach through the company’s general email, they were redirected to lawyers and a PR firm instead of technical staff who could address the issue.
TechCrunch explained that due to the sensitive nature of passport data and personal photos, they could only share specific technical details with company management to prevent further misuse. However, UK Visa Portal’s management never responded, and the security vulnerability remains unfixed.
This incident highlights the risks of using unofficial third-party services for government applications. Many visa and immigration scams operate by creating websites that look official but charge unnecessary fees for services that should be free or handled directly through government portals.
The exposed passport data could have serious consequences for affected individuals:
- Identity theft using passport information
- Fraudulent visa applications in other countries
- Personal safety risks if travel plans become public
- Financial fraud using personal details
Immigration-related data breaches are particularly damaging because passports are primary identity documents accepted worldwide. Unlike credit cards that can be quickly canceled, passports require lengthy replacement processes and leave people vulnerable during that period.
The UK government operates official channels for visa applications that don’t require third-party intermediaries. Applicants should use the official GOV.UK website directly rather than paying additional fees to unofficial services. Using authorized government websites also ensures that personal documents are handled according to official data protection standards.
This case demonstrates why security researchers and journalists need direct access to company management when reporting vulnerabilities. When companies hide behind lawyers and PR firms instead of addressing security issues promptly, they put users at continued risk while trying to manage their public image.